Website Policies

API Access & Usage Policy

Updated: 21st January 2026

This API Access & Usage Policy (the “Policy”) governs use of Fanvue’s application programming interfaces (the “API”). It applies to all requests made with an API Key issued by Fanvue.

This Policy supplements the General Terms & Conditions and other applicable Fanvue Policies. If there is any conflict between this Policy and the General Terms, the terms of this Policy shall prevail for the specific subject matter it governs.

All defined terms used herein shall have the meaning assigned in the General Terms & Conditions, unless otherwise stated.

DEFINITIONS

API Key” means a unique credential issued by Fanvue, used to authenticate API requests. It must be sent in the X-Fanvue-API-Key header.

Scopes” means the fixed permissions associated with an API Key, which determine which endpoints and operations the key may access. Scopes are set when the key is issued and cannot be modified afterwards.

API Version” means the required version identifier for the API, sent in the X-Fanvue-API-Version header. The value must follow the format YYYY-MM-DD (e.g. 2025-06-26).

Rate Limit” means the maximum number of requests permitted per key within a defined window.

Supported Version” means an API Version that Fanvue currently supports. Fanvue may deprecate or sunset versions.

Third-Party Application” means an application registered on Fanvue that can request access to user accounts via OAuth authorisation. Also referred to as an “OAuth Application” or “Developer Application”.

Application Credentials” means the client ID, client secret, redirect URIs, and webhook callback URLs associated with a Third-Party Application.

1. ACCESS & AUTHORISATION

1.1 Authentication

  1. All secured endpoints require the header X-Fanvue-API-Key.
  2. Keys are validated for format, hashed, and matched against Fanvue records. Revoked keys are rejected.
  3. On successful authentication, the request context is associated with the issuing user and the key’s scopes.

1.2 Authorisation

  1. Endpoints declare required Scopes. Access is granted only if the API Key’s Scopes include the required set.
  2. Requests without valid credentials or sufficient permissions will return a 401 Unauthorized or 403 Forbidden response status code, as appropriate.

1.3 API Versioning

  1. The header X-Fanvue-API-Version is required on requests in the format YYYY-MM-DD.
  2. Fanvue may reject unsupported or sunset versions and require an upgrade to a Supported Version.
  3. Version lifecycle follows: Active → Deprecated → Sunset.
  4. Deprecation is communicated via RFC 8594 standard headers:
    1. Deprecation: Indicates when the version was deprecated.
    2. Sunset: Specifies when the version will stop working.
    3. X-Fanvue-API-Next-Version: Recommends the migration path.

2. API KEY MANAGEMENT

  1. API Keys are issued to a specific Fanvue user account and are non-transferable. Only one active API key per user is permitted at any time.
  2. Keys can be obtained and managed at https://www.fanvue.com/api-keys.
  3. Keys are stored hashed and cannot be retrieved after creation. Keys can be revoked at any time, with revocation taking immediate effect.
  4. Scopes are fixed when the key is issued and cannot be modified after creation.
  5. Fanvue may record API usage metadata (e.g. key identifier, method, path, timestamps) for security, audit, and operational purposes in accordance with our Privacy Policy.

3. TECHNICAL REQUIREMENTS

  1. Required headers on secured endpoints:
    1. X-Fanvue-API-Key: a valid, unrevoked key.
    2. X-Fanvue-API-Version: the requested API Version (e.g. 2025-06-26).
  2. Requests must be made over HTTPS. Plain HTTP is not permitted.
  3. Clients must handle error responses appropriately:
    1. 400 Bad Request: Invalid request (e.g., unsupported API version, malformed parameters). Check the error message and API documentation for details.
    2. 401 Unauthorised: Missing or invalid authentication.
    3. 403 Forbidden: Insufficient permissions for the requested endpoint.
    4. 410 Gone: API version permanently removed (includes nextVersion field).
    5. 429 Too Many Requests: Rate limit exceeded (includes Retry-After header).

4. PERMITTED USE

  1. Subject to Scope, the API enables the following operations:
    1. Users: Reading current user details.
    2. Chats: Listing chats, creating new chats, sending messages, retrieving chat messages.
    3. Creators: Reading followers and subscribers.
    4. Insights: Reading earnings data, top-spending fans, and subscriber counts.
    5. Agencies: Managing creators, creator-specific chat operations, and creator analytics.
  2. Pagination and filtering may apply as documented for each endpoint.
  3. API access is controlled and may be limited to whitelisted or approved users during rollout.

5. PROHIBITED USE

  1. Calling secured endpoints without a valid API Key or with an invalid format.
  2. Accessing endpoints without the necessary Scopes.
  3. Exceeding Rate Limits or failing to respect Retry-After guidance.
  4. Attempting to subvert authentication, authorisation, versioning controls, or rate limiting.
  5. Misusing or sharing API Keys. Keys must be kept confidential and secure.
  6. Any use contrary to the Acceptable Use Policy or this Policy.
  7. Creating Third-Party Applications at the request, instruction, or encouragement of any third party. Applications must only be created by and for the developer who will operate and control them.
  8. Sharing Application Credentials (including client secrets, redirect URIs, or webhook callback URLs) with any third party, or configuring these to point to domains or services not under your direct control.
  9. Providing instructions, tutorials, or encouragement to others to create applications or share credentials in a manner that violates this Policy.

6. RATE LIMITS & FAIR USAGE

  1. Default limit: 100 requests per 60 seconds per API Key (subject to change or per-route overrides). The request bucket refills completely every 60 seconds.
  2. Responses include standard rate limit headers when applicable:
HeaderMeaning
X-RateLimit-LimitTotal request capacity for the current window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix time (seconds) when the window resets
  1. When limits are exceeded, the API returns 429 Too Many Requests status code and may include:
    1. Retry-After header: seconds until another request may be attempted.
  2. Implement exponential backoff and honour Retry-After header to avoid throttling.
  3. Fanvue may tune limits per route or client and may enforce stricter limits for stability.

7. DATA & PRIVACY

  1. API responses are scoped to the authenticated user and permitted Scopes.
  2. Fanvue processes and stores API-related data in accordance with our Privacy Policy.
  3. The API currently provides read-only access. No write operations are available unless explicitly documented.

8. INTELLECTUAL PROPERTY

  1. The API, its specification, and related documentation are owned by or licensed to Fanvue.
  2. This Policy does not grant any IP rights beyond those necessary to consume the API as permitted by your Scopes and the General Terms & Conditions.

9. RESALE & REUSE

  1. Reselling, sublicensing, or redistributing API access, data, or responses to third parties is not permitted unless expressly authorised by Fanvue.
  2. Additional restrictions may apply under the Acceptable Use Policy and other Platform terms.

10. SECURITY REQUIREMENTS

  1. Always use HTTPS and secure, up-to-date TLS configurations.
  2. Store API Keys securely:
    1. Use environment variables or secure secrets management systems.
    2. Never hardcode keys in source code.
    3. Do not embed keys in client-side code or expose them publicly.
    4. Do not commit API keys to publicly accessible version control repositories (e.g., GitHub).
  3. Rotate Keys periodically and immediately if compromise is suspected.
  4. Monitor API usage for unexpected activity.
  5. Handle error responses gracefully and remediate underlying causes before retrying.
  6. Do not attempt to bypass security controls or versioning requirements.
  7. Third-Party Application Security:
    1. Never create a Third-Party Application at the instruction of another person, service, or chatbot. Legitimate services will have their own registered developer application.
    2. Never share your Application Credentials with anyone. If a service asks you to create an app and provide them with credentials, this is likely fraudulent.
    3. Only configure redirect URIs and webhook callbacks that point to domains you own and control.
    4. If you are a user (not a developer), you should connect to third-party services via the standard “Connect with Fanvue” OAuth flow, not by creating your own application.
  8. Regularly review connected third-party applications at Settings → Account → Third Party Apps Consent. Revoke access for any applications you do not recognise or no longer use.
  9. If you suspect your Application Credentials have been compromised or shared:
    1. Immediately revoke third-party access at Settings → Account → Third Party Apps Consent.
    2. Delete any compromised applications at Creator Tools → Build → [Select App] → Delete.
    3. Report the incident to Fanvue at support@fanvue.com.
  10. Be alert to social engineering attacks. Common tactics include:
    1. Chatbots or automated services asking you to create an application “for them”.
    2. Promises of AI-powered features, automation, or analytics in exchange for creating apps.
    3. Instructions to share redirect URIs, webhook URLs, or client secrets.
    4. Pressure to act quickly or share the service with other creators.
  11. Report suspected social engineering attempts or fraudulent services to Fanvue immediately.

11. TERMINATION, SUSPENSION & VERSIONING

  1. Fanvue may suspend or revoke API access at any time for policy breaches, abuse, risk, or operational reasons.
  2. Keys may be revoked individually by Fanvue or at your request; revocation takes immediate effect.
  3. Fanvue may deprecate or sunset API Versions. Clients must upgrade to Supported Versions within timelines communicated by Fanvue.
  4. Fanvue may apply throttling or other protective measures to preserve Platform integrity.
  5. Fanvue may take immediate action, including suspension or termination, against accounts involved in credential sharing, social engineering, or facilitating unauthorised access to other users’ accounts.

Need Help?

If you have questions about any of our policies or need assistance:

Fanvue reserves the right to amend this Policy from time to time. The latest version will always be accessible at legal.fanvue.com, and significant changes will be communicated where required.